5
Jul

what’s new with the Cisco ASDM 7.4.X

Cisco has release 7.4.2 ASDM so is it time to look at upgrading lets have a look at whats new with the Cisco ASDM 7.4.x.

The following is taken from the cisco release notes

To Sum up 7.4.x has a lot of improvements with SIP, remote access, security and a few new certifications, and cant forget Policy Based routing. I would recommend everyone who manages ASA’s to upgrade but remember if you haven’t upgrade your ASA to pay attention to the upgrade path and requirements in the release notes.

As always if you have any questions please don’t hesitate to contacts us here at Tecnic Group. all SkyComm and Tecnic clients with Managed services contacts will be upgrading you to the latest version this month.

Feature

Description

ASAv on VMware no longer requires vCenter support

You can now install the ASAv on VMware without vCenter using the vSphere client or the OVFTool using a Day 0 configuration.

ASAv on Amazon Web Services (AWS)

You can now use the ASAv with Amazon Web Services (AWS) and the Day 0 configuration.

Table 4 New Features for ASDM Version 7.4(2)

Feature

Description

Remote Access Features

AnyConnect Version 4.1 support

ASDM now supports AnyConnect Version 4.1.

We modified the following screen: Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Client Profile (a new profile called AMP Enabler Service Profile)

Table 5 New Features for ASA Version 9.4(1)/ASDM Version 7.4(1)

Feature

Description

Platform Features

ASA 5506W-X, ASA 5506H-X, ASA 5508-X, ASA 5516-X

We introduced the following models: ASA 5506W-X with wireless access point, hardened ASA 5506H-X, ASA 5508-X, ASA 5516-X.

We introduced the following command: hw-module module wlan recover image, hw-module module wlan recover image.

Certification Features

Department of Defense Unified Capabilities Requirements (UCR) 2013 Certification

The ASA was updated to comply with the DoD UCR 2013 requirements. See the rows in this table for the following features that were added for this certification:

  • Periodic certificate authentication
  • Certificate expiration alerts
  • Enforcement of the basic constraints CA flag
  • ASDM Username From Certificate Configuration
  • IKEv2 invalid selectors notification configuration
  • IKEv2 pre-shared key in Hex

FIPS 140-2 Certification compliance updates

When you enable FIPS mode on the ASA, additional restrictions are put in place for the ASA to be FIPS 140-2 compliant. Restrictions include:

  • RSA and DH Key Size Restrictions—Only RSA and DH keys 2K (2048 bits) or larger are allowed. For DH, this means groups 1 (768 bit), 2 (1024 bit), and 5 (1536 bit) are not allowed.

Note: The key size restrictions disable use of IKEv1 with FIPS.

  • Restrictions on the Hash Algorithm for Digital Signatures—Only SHA256 or better is allowed.
  • SSH Cipher Restrictions—Allowed ciphers: aes128-cbc or aes256-cbc. MACs: SHA1

To see the FIPS certification status for the ASA, see:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf

This PDF is updated weekly.

See the Computer Security Division Computer Security Resource Center site for more information:

http://csrc.nist.gov/groups/STM/cmvp/inprocess.html

We modified the following command: fips enable

Firewall Features

Improved SIP inspection performance on multiple core ASAs.

If you have multiple SIP signaling flows going through an ASA with multiple cores, SIP inspection performance has been improved. However, you will not see improved performance if you are using a TLS, phone, or IME proxy.

We did not modify any screens.

SIP inspection support for Phone Proxy and UC-IME Proxy was removed.

You can no longer use Phone Proxy or UC-IME Proxy when configuring SIP inspection. Use TLS Proxy to inspect encrypted traffic.

We removed Phone Proxy and UC-IME Proxy from the Select SIP Inspect Map service policy dialog box.

DCERPC inspection support for ISystemMapper UUID message RemoteGetClassObject opnum3.

The ASA started supporting non-EPM DCERPC messages in release 8.3, supporting the ISystemMapper UUID message RemoteCreateInstance opnum4. This change extends support to the RemoteGetClassObject opnum3 message.

We did not modify any screens.

Unlimited SNMP server trap hosts per context

The ASA supports an unlimited number of SNMP server trap hosts per context. The show snmp-server host command output displays only the active hosts that are polling the ASA, as well as the statically configured hosts.

We did not modify any screens.

VXLAN packet inspection

The ASA can inspect the VXLAN header to enforce compliance with the standard format.

We modified the following screen: Configuration > Firewall > Service Policy Rules > Add Service Policy Rule > Rule Actions > Protocol Inspection

DHCP monitoring for IPv6

You can now monitor DHCP statistics and DHCP bindings for IPv6.

We introduced the following screens:

Monitoring > Interfaces > DHCP > IPV6 DHCP Statistics
Monitoring > Interfaces > DHCP > IPV6 DHCP Binding
.

High Availability Features

Blocking syslog generation on a standby ASA

You can now block specific syslogs from being generated on a standby unit.

We did not modify any screens.

Enable and disable ASA cluster health monitoring per interface

You can now enable or disable health monitoring per interface. Health monitoring is enabled by default on all port-channel, redundant, and single physical interfaces. Health monitoring is not performed on VLAN subinterfaces or virtual interfaces such as VNIs or BVIs. You cannot configure monitoring for the cluster control link; it is always monitored. You might want to disable health monitoring of non-essential interfaces, for example, the management interface.

We introduced the following screen: Configuration > Device Management > High Availability and Scalability > ASA Cluster > Cluster Interface Health Monitoring

ASA clustering support for DHCP relay

You can now configure DHCP relay on the ASA cluster. Client DHCP requests are load-balanced to the cluster members using a hash of the client MAC address. DHCP client and server functions are still not supported.

We did not modify any screens.

SIP inspection support in ASA clustering

You can now configure SIP inspection on the ASA cluster. A control flow can be created on any unit (due to load balancing), but its child data flows must reside on the same unit. TLS Proxy configuration is not supported.

We did not modify any screens.

Routing Features

Policy Based Routing

Policy Based Routing (PBR) is a mechanism by which traffic is routed through specific paths with a specified QoS using ACLs. ACLs let traffic be classified based on the content of the packet’s Layer 3 and Layer 4 headers. This solution lets administrators provide QoS to differentiated traffic, distribute interactive and batch traffic among low-bandwidth, low-cost permanent paths and high-bandwidth, high-cost switched paths, and allows Internet service providers and other organizations to route traffic originating from various sets of users through well-defined Internet connections.

We introduced or modified the following screens:

Configuration > Device Setup > Routing > Route Maps > Policy Based Routing
Configuration > Device Setup > Routing > Interface Settings > Interfaces.

Interface Features

VXLAN support

VXLAN support was added, including VXLAN tunnel endpoint (VTEP) support. You can define one VTEP source interface per ASA or security context.

We introduced the following screens:

Configuration > Device Setup > Interface Settings > Interfaces > Add > VNI Interface
Configuration > Device Setup > Interface Settings > VXLAN

Monitoring Features

Memory tracking for the EEM

We have added a new debugging feature to log memory allocations and memory usage, and to respond to memory logging wrap events.

We modified the following screen: Configuration > Device Management > Advanced > Embedded Event Manager > Add Event Manager Applet > Add Event Manager Applet Event.

Troubleshooting crashes

The show tech-support command output and show crashinfo command output includes the most recent 50 lines of generated syslogs. Note that you must enable the logging buffer command to enable these results to appear.

Remote Access Features

Support for ECDHE-ECDSA ciphers

TLSv1.2 added support for the following ciphers:

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-AES256-GCM-SHA384
  • AES256-GCM-SHA384
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-GCM-SHA256
  • RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256

Note: ECDSA and DHE ciphers are the highest priority.

We modified the following screen: Configuration > Remote Access VPN > Advanced > SSL Settings.

Clientless SSL VPN session cookie access restriction

You can now prevent a Clientless SSL VPN session cookie from being accessed by a third party through a client-side script such as Javascript.

Note: Use this feature only if Cisco TAC advises you to do so. Enabling this command presents a security risk because the following Clientless SSL VPN features will not work without any warning.

  • Java plug-ins
  • Java rewriter
  • Port forwarding
  • File browser
  • Sharepoint features that require desktop applications (for example, MS Office applications)
  • AnyConnect Web launch
  • Citrix Receiver, XenDesktop, and Xenon
  • Other non-browser-based and browser plugin-based applications

We introduced the following screen: Configuration > Remote Access VPN > Clientless SSL VPN Access > Advanced > HTTP Cookie.

This feature is also in 9.2(3).

Virtual desktop access control using security group tagging

The ASA now supports security group tagging-based policy control for Clientless SSL remote access to internal applications and websites. This feature uses Citrix’s virtual desktop infrastructure (VDI) with XenDesktop as the delivery controller and the ASA’s content transformation engine.

See the following Citrix product documentation for more information:

OWA 2013 feature support has been added for Clientless SSL VPN

Clientless SSL VPN supports the new features in OWA 2013 except for the following:

  • Support for tablets and smartphones
  • Offline mode
  • Active Directory Federation Services (AD FS) 2.0. The ASA and AD FS 2.0 can’t negotiate encryption protocols.

We did not modify any screens.

Citrix XenDesktop 7.5 and StoreFront 2.5 support has been added for Clientless SSL VPN

Clientless SSL VPN supports the access of XenDesktop 7.5 and StoreFront 2.5.

See http://support.citrix.com/proddocs/topic/xenapp-xendesktop-75/cds-75-about-whats-new.html for the full list of XenDesktop 7.5 features, and for more details.

See http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-about.html for the full list of StoreFront 2.5 features, and for more details.

We did not modify any screens.

Periodic certificate authentication

When you enable periodic certificate authentication, the ASA stores certificate chains received from VPN clients and re-authenticates them periodically.

We modified the following screens:

Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates

Certificate expiration alerts

The ASA checks all CA and ID certificates in the trust points for expiration once every 24 hours. If a certificate is nearing expiration, a syslog will be issued as an alert. You can configure the reminder and recurrence intervals. By default, reminders will start at 60 days prior to expiration and recur every 7 days.

We modified the following screens:

Configuration > Device Management > Certificate Management > Identity Certificates
Configuration > Device Management > Certificate Management > CA Certificates

Enforcement of the basic constraints CA flag

Certificates without the CA flag now cannot be installed on the ASA as CA certificates by default. The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate. You can configure the ASA to allow installation of these certificates if desired.

We modified the following screens: Configuration > Device Management > Certificate Management > CA Certificates

IKEv2 invalid selectors notification configuration

Currently, if the ASA receives an inbound packet on an SA, and the packet’s header fields are not consistent with the selectors for the SA, then the ASA discards the packet. You can now enable or disable sending an IKEv2 notification to the peer. Sending this notification is disabled by default.

Note: This feature is supported with AnyConnect 3.1.06060 and later.

IKEv2 pre-shared key in Hex

You can now configure the IKEv2 pre-shared keys in hex.

We modified the following screen: Configuration > Site-to-Site VPN > Connection Profiles

Administrative Features

ASDM Username From Certificate Configuration

This feature introduces the ability to authorize ASDM users by extracting the username from the certificate along with using the username provided by the user.

We introduced the following screen: Configuration > Device Management > Management Access > HTTP Certificate Rule

We modified the following screen: Configuration > Device Management > Users/AAA > AAA Access > Authorization

terminal interactive command to enable or disable help when you enter ? at the CLI

Normally, when you enter ? at the ASA CLI, you see command help. To be able to enter ? as text within a command (for example, to include a ? as part of a URL), you can disable interactive help using the no terminal interactive command.

REST API Version 1.1

We added support for the REST API Version 1.1.

 

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

Contact Us